Document History
Version Date: / December 2007Version Number: / 1.0
Status: / Approved
Next Revision Due: / December 2010
Developed By: / Carol Aulton
Policy Sponsor: / Clinical Records Committee
EIRA Completed: / 01 December 2007
Approved By: / Integrated Governance Committee
Date Approved: / May 2008
Revision History
Version / Revision date / Summary of Changes1.0 / December 2007 / Policy developed – based on previous PCTs’ policies
Distribution and Approval
Name / Version / Date / CommentsClinical Records Committee / 1.0 / Dec 07 / Sent out for comments
Clinical Records Committee / 1.0 / Feb 08 / Small changes made - Approved
Information Governance Committee / 2.0 / March 08 / Small changes made - Approved
Integrated Governance Committee / 2.0 / May 08 / Approved
Clinical Records Committee / 3.0 / Jan 10 / Updated procedure for Child Health Records, inclusion of Contact details for requests – Approved
Information Governance Committee / 3.0 / Jan 10
ACCESS TO RECORDS POLICY
Contents
1 Aim of the Policy..………………………………………………………..…. 1
2 Background…….…………………………………………………………..... 1
3 Area of Implementation……………………………………………………. 1
4 Organisational Accountability/Responsibilities………………………. 1
5 Intended Users………………………………………………………………. 1
6 Definitions……………………………………………………………….…… 1
6.1 Data Controller……………………………………………………… 1
6.2 Data User…………………………………………………………….. 2
6.3 Data Subjects……………………………………………………….. 2
7 Information Uses……………………………………………………….…… 2
8 Duty of Confidence……………………………………………………….... 3
9 Right to Access Health Records……………………………………..….. 3
10 Patient’s Consent………………………………………………………..…. 3
11 Procedures for Compliance with the Act………………………………. 4
12 Applications Under the Act……………………………………………..... 4
9.1 Request by the Patient……………………………………………. 4
9.2 Request for Child Health Records…………………………….... 4
9.3 Request by Solicitor/Law Society……………………………..... 5
9.4 Deceased Patients……………………………………………….... 5
13 Fees for Applications…………………………………………………….... 5
14 Monitoring the Effectiveness…………………………………………….. 5
15 References……………………..……………………………………….…… 6
16 Appendices……..…………………………………………………….…...... 6
17 Developed By……………………………………………………………….. 6
18 Unique Document Number/Reference…………………………………. 6
19 Distribution List……………………………………………………………. 6
Flowchart……………………………………………………………………………... 8
1 Aim of the Policy
The aim of this policy is to ensure that individuals have access to their records, either manual or computerised. People should be fully informed of the ways in which information about them may be used.
All health professionals should encourage the sharing of information with the patient during their treatment and care.
2 Background
The Data Protection Act 1998 makes provision for the regulation of the processing of information relating to living individuals including the obtaining, holding, use or disclosure of such information. The Act brings into force the provisions of the EU Data Protection Directive giving individuals the right to gain access to information held about themselves, both computerised and manual records. This applies to all living individuals, including NHS patients receiving care within and outside the NHS as well as private patients cared for by NHS units.
The Data Protection Act 1998 supersedes the Access to Health Records Act 1990 with effect from 1 March 2000, with the exception of those sections dealing with requests for access to information concerning deceased patients. The Access to Health Records Act 1990 will remain in force so as to continue to allow the representatives of deceased patients’ rights to access records.
Requests may also be received under the Freedom of Information Act, however please refer to the FOI Policy for the procedure on releasing of information.
3 Area of Implementation
All areas within the Trust.
4 Organisational Accountability/Responsibilities
4.1 The Chief Executive has overall accountability.
4.2 Head of Sites and Services and the Assistant Out Patient and Health Records Manager are responsible for the implementation
4.3 The Data Access Officer will be responsible for receiving and processing of all access to records requests in respect of Adult records.
4.4 Quality and Integrated Governance Directorate will be responsible for all access to records requests in respect of Child Health Records and for contacting the relevant Clinician in respect of these requests.
4.5 The Clinical Records Committee will be responsible for approving any changes/updates to the Policy.
5 Intended Users
All staff.
1
6 Definitions
6.1 Data Controller
A “Data Controller” is a person or organisation who holds and uses personal information. As Data Controllers, employers have a responsibility to establish workplace practices and policies that are in line with the Act.
6.2 Data User
A “Data User” includes employees whose work involves processing personal information. As a Data User, employees have a legal duty to protect the information which they process.
6.3 Data Subjects
“Data Subjects” are patients, customers, suppliers, clients etc. Data Subjects are also individuals within the workplace that the information is about. They may be current employees, people applying for jobs or former employees.
7 Information Uses
This policy details the procedures the Trust has adopted for dealing with applications for access to health records under the Act. All other services must have procedures in place for dealing with access requests for information.
The Data Protection Act 1998 refers not just to health records, but all types of information, including personnel, occupational health, supplies, union records and all other relevant filing systems.
Information uses are:
1 With the patient’s written consent for a particular purpose
2 On a need to know basis, with the patient’s written or implied consent, to co-ordinate care and treatment of the patient with other Agencies
3 When the information is required by statute or court order, even if the patient refuses to allow disclosure
4 Passing on the information can be justified for other reasons eg the best interests of the patient and/or public
Further direction may be obtained from ‘The Protection and Use of Patient Information’ issued by the Department of Health, the Trust’s Caldicott Guardian, or Assistant Out Patient and Health Records Manager.
Patients must be informed of the purpose for which information is collected and the type of organisations to which information may need to be passed in order to co-ordinate their care eg social services, local authorities, health authorities. This information to patients should be included in:
2
Ø Information leaflets, appointment letters, notice boards, clinic consulting rooms etc
Ø Talking to patients as part of their care planning
Ø Ensuring that further information is provided for a patient should it be required eg
- Arrangements for people whose first language is not English
- Restricted vision or reading skills
- Notices in public areas, media etc
8 Duty of Confidence
All NHS bodies, all staff carrying out functions on behalf of the NHS, and everyone working for the NHS, have a common law duty of confidence to patients and to his or her employer. Other individuals or agencies to which information is legitimately passed may use it for authorised specific purposes only.
In the event of confidence being breached, senior staff should be advised and disciplinary action may be taken. All staff should be made aware of these issues at interview, induction and within their contract of employment.
Deceased patient records remain confidential, although actual death certificates are not confidential.
9 Right to Access Health Records
All patients have the right to access their own manual or computerised records, irrespective of when they were created, under the Data Protection Act 1998. Access should be given wherever possible, subject to the approval of the Health Professional responsible for the patient’s care, with safeguards for other people who have been involved in the provision of information about the patient.
Information relating to another individual who can be identified from that information (including being identified as the source) may be withheld, unless:
Ø The other individual consents to the disclosure, or
Ø It is reasonable in all the circumstances to supply the information without consent (see ‘Data Protection Act 1998 – an introduction’ for further detailed guidance)
10 Patient’s Consent
Circumstances may arise when a patient, due to his/her mental or physical condition, may be unable to give informed consent. No-one is allowed to give consent on behalf of an adult, and in this case it will be the decision of the Health Professional concerned, together with the views of relatives and carers, to decide to pass on information or not, taking into account the best interests of the patient, however anyone with Lasting Power of Attorney for the patient under the Mental Capacity Act has the rights to any information that the patient would normally receive (refer to the Mental Capacity Act for further guidance).
3
Young people aged 16 and above are regarded as adults for purposes of consent and are therefore entitled to the same duty of confidence and access as adults.
Children under 16 who have the capacity and understanding to take decisions themselves, about their own treatment, are also entitled to decide whether information may be passed on and should have their confidence and request for access respected.
(They may be receiving treatment or counselling and do not wish for their parents to know.) For children whose families are split the ‘custodial rights documents’ must be provided with the request for access. – See 12.2 for guidance on releasing child health records.
In other instances, the decision to pass on information may be taken by those with parental responsibility in consultation with the Health Professional concerned.
11 Procedures for Compliance with the Act
The overall responsibility for the procedures for compliance with the Act lies with the Caldicott Guardian.
The Health Professional with responsibility for the patient’s care must be contacted in respect of all applications. He/she will be asked for permission to release the health record and to indicate whether there are any grounds for withholding access to any part or the whole of the health record.
Access may only be withheld where there is a likelihood that disclosing information may cause serious physical or mental harm to the patient, or to any other individual.
Where the applicant is requesting an alteration to the record the Healthcare Professional and the Caldicott Guardian should be contacted immediately. A legal opinion may be required if the Caldicott Guardian considers it to be appropriate.
12 Applications Under the Act
Where records have been added to within the last 40 days, the time-scale for dealing with the application is 21 days.
Where the record has not been added to within the last 40 days the time-scale for dealing with the application is 40 days.
12.1 Request by the Patient
When a request is received, either verbally or in writing, an application form (Appendix B) should be sent to the patient. When this application is satisfactorily completed (validity verified with appropriate authorisations included) and received (which also includes transmission by electronic means), the process for dealing with the access request begins. The application form must be date-stamped as received and the request dealt with within the time-scales as above.
4
12.2 Request for Child Health Records
Due to the potential complexity of child health records, all requests received must be forwarded to Quality and Integrated Governance, for scrutinisation by the appropriate Health Professional, prior to release. Under no circumstances should these records be released without prior approval – see Appendix A.
12.3 Request by a Solicitor/Law Society
If a request for information comes from a solicitor, the records must not be disclosed, without also having written consent from the patient. The agreed form (Appendix A) should be completed by the solicitor whether or not court proceedings are contemplated. When completed by and received from the solicitor the application should be date-stamped and the request dealt with within the appropriate time-scales.
12.4 Deceased Patients
Rights of access to the health records of a deceased patient are covered by the Access to Health Records Act 1990. This Act allows the personal representative or any person with a claim arising from the estate or with the consent of an executor or administrator of the estate, to seek access. Access to a deceased person’s record should not be granted if the record itself includes a note confirming that the patient did not wish access to be granted after his/her death.
The checklist for Access to Records must be completed for each request – See Appendix D.
13 Fees for Applications
13.1 There is no fee for patients who have been treated within the last 40 days preceding the date of the request.
13.2 An administration fee of £15.00, photocopying at 35p per copy and special delivery charge (this will vary dependent upon the weight of the envelope), will apply for every request.
13.3 The total charge made must not exceed £50.00 for manually held records.
13.4 The total charge made must not exceed £10.00 for electronically held records.
13.5 There is no fee for requests received from the Police (including requests for statements), Criminal Injuries Compensation Authority or Department of Social Security (see HSC 1999/001).
13.6 Patients who wish to view their records, whether held electronically or manually, a maximum charge of £10.00 will apply. Patients who view their records but then request a copy, the £10.00 charge must be incorporated in the overall fee.
5
14 Monitoring the Effectiveness
Monthly audits to be carried out to monitor the effectiveness of this policy and to ensure all requests received are processed within the timescales as set out in 12 above. The results of the audits will be fed back to the members of the Clinical Records Committee.
15 References
Data Protection Act 1998
Access to Health Records Act 1990
The Protection and Use of Patient Information
Confidentiality Policy
IM&T Security Policy
Health Service Circular 1999/001
Leaflet - Your
16 Appendices
Appendix A Procedure for Access to Child Health Records
Appendix B Application for Access
Appendix C Access to Health Records – Confirmation
Appendix D Access to Health Records – Checklist
Appendix E Letter to Health Professional
Appendix F Letter to Solicitor enclosing copies
Appendix G Audit of Requests
Appendix H Contact Details
17 Developed By
Carol Aulton, Assistant Out Patient and Health Records Manager
18 Issue Date
December 2007
19 Review Date
December 2010
18 Unique Document Number/Reference